From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA

Security teams should expedite the prevention of similar incidents. The following are some recommendations:

1. Disable public access to Actuator endpoints using:

• IP allowlists
• Reverse proxy protections
• Requirement of a valid authenticated user

Moreover, in production environments, endpoints like /env and /configprops should never be publicly accessible.

2. Remove plaintext credentials and audit the environment for credentials stored in:

• Spreadsheets
• Shared drives
• Documentations
• Configuration files

Thereafter, teams should immediately rotate any exposed credentials.

3. Disable ROPC authentication.

• If ROPC is not required, it should be disabled.
• Organizations should prioritize modern authentication flows that enforce stronger security controls.

The investigation identified a SharePoint data exfiltration incident resulting from the misuse of valid credentials, with no evidence of malware deployment or software exploitation. The threat actor successfully authenticated to Entra ID using ROPC, obtained an access token, and leveraged it to interact with SharePoint Online, enabling unauthorized access to data.

Overall, the incident was enabled by three specific security weaknesses: the public exposure of Spring Boot Actuator endpoints that revealed internal application configurations, the storage of sensitive secrets for an internal application in a spreadsheet, and the use of ROPC.

Our investigation underscores the fact that modern cloud breaches often occur through legitimate access rather than technical exploits, emphasizing the need to focus defensive strategies on limiting what attackers can do once authenticated.

TrendAI Vision One™ Cyber Risk Exposure Management (CREM) as a strategic preventive solution

This incident highlighted an increasingly common security challenge: the gap in exposure management across identity, application configuration, and cloud authentication flows. The attack leveraged misconfigurations and legacy authentication mechanisms that were permitted within the environment, instead of relying on malware or software vulnerability.

A preventive line of defense, such as TrendAI Vision One™ Cyber Risk Exposure Management (CREM), can help organizations identify and prioritize these types of risks before they can be exploited. Rather than focusing solely on active threats, Cyber Risk Exposure Management continuously evaluates an organization’s attack surface and highlights exposures that could enable an attacker to move from initial access to sensitive data.

For this incident, Cyber Risk Exposure Management could surface risk indicators, such as:

• Internet-exposed application services that reveal sensitive configuration metadata
• Applications and service accounts using legacy OAuth 2.0 authentication flows, such as ROPC
• Accounts that lack MFA enforcement or Conditional Access protections
• Applications relying on long-lived static client secrets for authentication
• Potential attack paths, such as SharePoint Online, that link exposed services, identity weaknesses, and access to sensitive cloud data

Cyber Risk Exposure Management does not evaluate risks in isolation. Instead, it correlates exposures across identities, cloud services, and external attack surfaces to identify complete attack paths. A single issue may appear moderate on its own; however, when combined with other exposures, it can create a viable route from external access to sensitive enterprise data.

By continuously mapping identity posture, authentication methods, and cloud application exposure, Cyber Risk Exposure Management enables organizations to move from reactive detection toward proactive risk reduction. In scenarios similar to this attack, addressing legacy authentication usage and strengthening identity security controls could significantly reduce the likelihood of credential abuse and unauthorized data access.

Read More HERE